Troubleshooting Group Policies

Home / Troubleshooting Group Policies

Or “why is this sh*t not working?”. A comprehensive guide to troubleshooting your group policies.

Troubleshooting GPOs or debugging group policies can be time consuming and frustrating. Especially as the issue can be on the server side as well as on the client side (plus somewhere between with synchronization or connection problems).

This guide tries to cover all necessary steps to identify the root cause and helps you to solve your issue.

To perform all steps, you will need to have access to at least one domain controller and to the client.

Domain Controller

The domain controller will be the first place to look at. Open the Group Policy Management Console(GPMC) either on the domain controller or via Remote Server Administration Tools.

1. Check if you have set up the settings

This might sound stupid, but before you check anything else, confirm that you have set up the desired settings in a group policy object.

2. Is the GPO linked to the correct OU?

Without a link a GPO is nothing. Same goes for GPOs which are linked to a OU with the wrong objects.
In the GPMC open the details for your GPO and check the “Links” section. Is there an organisational unit (OU) listed and is it the correct one?
Be aware that computer configuration GPOs have to be linked to an OU with computer objects and user configurations have to be linked to an OU with user objects. If you have both, you have to link it to multiple OUs or have your computers and users in one OU. The only exception are loopback GPOs, but you have to have them enabled explicitly.

3. Is the link enabled?

Even if your GPO has a link to an OU, that link might be disabled and would not work too. In the GPMC open the details for your GPO and check the links for that GPO. Is that link enabled (The column “Link Enabled” should say “Yes”)? If no, enabled it by right-clicking and checking “Link Enabled”.

Enable GPO link

Enable GPO link

4. Is the GPO or parts of it disabled?

Group Policy Objects have their own status. This means, that a GPO or the computer/user part can be disabled independently from the link status.
Open the GPO details and click on the tab “Details”. One of the last entries is “GPO Status”. Verify that it is set to “Enabled” or that the settings needed are not disabled.

GPO status

GPO status

5. User configurations require additional permissions

In June 2016 Microsoft patched a vulnerability in the group policy processing, allowing an escalation of privileges (For more information click here).
This update changed the way Windows reads user configuration policies. Before the update, this request was performed with the user’s account. After the update, the computer account is used.
To make user configurations working again, you have to allow computers to read the policies. Open your group policy management console, select the policy and switch to the delegation tab. Now click add and select either “authenticated users” or “domain computer” (Domain computer is more restrictive, but is also more secure)
Add domain computer
and allow “read” for that group.
Add read permissions
If you have dedicated group of computers, where the policies should apply only, you can use it instead.

Correct user policy delegation

Correct user policy delegation

6. Check Domain Controller synchronization

If you are using more than one domain controller, the domain controller are constantly synchronising between each other. That can be AD objects, management information and other data. When a client starts up, it is assigned to a certain domain controller and receives all information from it (You can check the environment variable LOGONSERVER, but it is not 100% accurate). If the client is connected to a domain controller, not receiving updates on your group policies, it might not be able to apply your settings correctly.

Client

6. Check network connectivity

If your client has not downloaded the group policy and does not have a working network connection, new or changed policies will not work. Check that the domain controller is pingable.

Open a command prompt and enter the command
set

This will give you a lot of settings. Search for logonserver. That is the domain controller your client is connected to.

To check the connectivity (we assume the domain controller is named dc01), use a command prompt and enter
ping dc01
Check that the server is responding and no packets are missing or dropped.

7. Check GPO processing

Open a command prompt and run the command (You may need an elevated prompt for the computer configuration part):
gpresult.exe /r

gpresult.exe

gpresult.exe output

This will give you a lot of information:

  • What site is your client assigned to?
  • Does the client have a slow link?
  • Which server did the client connect to and when?

The report then lists (separated for computer and user settings) the applied GPOs. If you policy is listed here, it means that the client did process the GPO and the issue is located somewhere else.

You also get a list of group policies the client found (They are assigned to the user or computer OU), but could not apply. Each GPO states the reason why it could not be applied. Reasons can be:

  • Not Applied (Empty): The computer found a valid GPO to apply, but it does not contain any settings.
  • Denied (WMI Filter): The GPO is generally valid for this computer or user, but the WMI filter denied the computer/user access to it. The assigned WMI filter name is displayed next to the filtering.
  • Denied (Security): The computer is not allowed to apply the GPO.
  • Disabled (GPO): The Group Policy or the computer configuration part of it has been disabled.

To verify that the computer or user if not missing in a security group relevant for the GPO, the security group the computer/user is member are listed below.

8. Gpsvc.log

The group policy service can be set to write into a debug file. Open regedit and locate this path:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Diagnostics
(You might have to create the Diagnostics subkey).
Create a new DWORD (32-bit) Value with the name GPSvcDebugLevel and the value 30002 (hexadecimal).

The log file will be in the folder %windir%\debug\usermode. Please note, that you might have to create this folder. If the folder does not exists, the log file will not be created.

9. Event log

Even if the processing of GPOs is working correctly, Windows might have issue with single items. For example a file to be copied might not be accessible.
Windows will write these events to the event log. You can read the event with the Event Viewer (or eventvwr.msc).
The group policy related events are located under “Windows Logs” > “System”. Filter the log for the event sources beginning with group policy.

Event viewer group policy event

Event viewer group policy event